The White House believes that U.S. government agencies largely repelled the latest cyberespionage attack blamed on Russian intelligence operatives, saying the harpooning campaign should not further damage relations with Moscow before the presidential summit scheduled for next month.
Officials downplayed the cyberattack as “basic phishing” in which hackers used malware-laden emails to target the computer systems of U.S. and foreign government agencies, think tanks, and humanitarian groups. Microsoft, which revealed the effort Thursday night, said it believed most emails were blocked by automated systems that marked them as spam.
On Friday afternoon, the company said it “sees no evidence of a significant number of compromised organizations at this time.”
Even so, the revelation of a new spy campaign so close to the June 16 summit between President Joe Biden and his Russian counterpart Vladimir Putin adds to the urgency of the White House’s efforts to confront the Kremlin with aggressive cyber activity. that criminal charges and diplomatic sanctions have provoked. little deterrence.
“I don’t think it will create a new point of tension because the point of tension is already so great,” said James Lewis, senior vice president of the Center for Strategic and International Studies. “This needs to be clearly on the summit’s agenda. The president needs to lay the groundwork “to make it clear” that the time when you can do what you want is over. “
The summit comes amid simmering tensions, driven in part by election meddling from Moscow and a massive breach of U.S. government agencies and private companies by elite Russian cyber spies who have infected Russia’s supply chain. software with malicious code. The United States responded with sanctions last month, prompting the Kremlin to warn of retaliation.
Asked on Friday whether the latest hacking effort would affect the Biden-Putin summit, Deputy Senior Press Secretary Karine Jean-Pierre said: “We will move forward with this.”
The United States, which had previously called on Russia or criminal groups based there for hacking operations, has not blamed anyone for the latest incident. Microsoft attributed it to the group behind the SolarWinds campaign, in which at least nine federal agencies and dozens of private sector companies were breached by a contaminated software update.
In this case, the hackers gained access to a US Agency for International Development email marketing account, and posing as a government agency, targeted around 3,000 email accounts in over 150 different organizations. . At least a quarter of them are involved in international development, humanitarian action and human rights, Microsoft Vice President Tom Burt said in a blog post Thursday evening.
The company did not say which part of the attempts may have led to successful intrusions, but said in a separate technical blog post that most were blocked by automated systems that marked them as spam. The White House said that even if an email escapes these systems, a user would still have to click the link to activate the malicious payload.
Burt said the campaign appeared to be a continuation of multiple efforts by Russian hackers to “target government agencies involved in foreign policy as part of intelligence gathering efforts.” He said the targets covered at least 24 countries.
Separately, leading cybersecurity firm FireEye said it has been following “multiple waves” of spear phishing by hackers from the Russian foreign intelligence agency SVR since March – before the USAID campaign – which used a variety of decoys, including diplomatic notes and embassy invitations. .
President Joe Biden said further action could be taken against Russia if it “continues to interfere with our democracy”. “The United States is not seeking to initiate a cycle of escalation and conflict with Russia. We want a stable and predictable relationship, ”Biden said.
The hackers gained access to the USAID account at Constant Contact, an email marketing service, Microsoft said. Authentic-looking phishing emails dated May 25 claim to contain new information on the 2020 election fraud allegations and include a link to malware that allows hackers to “gain permanent access to compromised machines.” .
Microsoft said the campaign is ongoing and builds on growing phishing campaigns first detected in January.
USAID spokeswoman Pooja Jhunjhunwala said on Friday she was investigating with help from the Cybersecurity and Infrastructure Security Agency. Constant Contact spokesperson Kristen Andrews called it an “isolated incident”.
While the SolarWinds campaign was extremely stealthy and started as early as 2019 before being detected in December by FireEye, this campaign is what cybersecurity researchers are calling loud, that is, easy to detect.
And while “spear phishing emails were quickly identified, we expect any post-compromise action from these actors to be highly skilled and stealthy,” FireEye vice president of analysis said on Friday. , John Hultquist, in a statement. a reminder that cyber espionage is here to stay. “
Many cybersecurity experts did not view the operation as an escalation of Russian aggression online.
“I think it’s normal,” said Jake Williams, president of Rendition Infosec and former US government hacker. He said it was naïve to think that US cyber operators are not engaged in similar operations targeting adversaries.
Bobby Chesney, a law professor at the University of Texas at Austin specializing in national security, said it was nowhere near as bad as the SolarWinds hack. It also doesn’t come close to the damage caused by the ransomware attack earlier this month – by Russian-speaking criminals tolerated by the Kremlin – which temporarily took the colonial pipeline offline.
Chesney said he believed it was wrong to view the USAID targeting as a Russian response to the sanctions or a sign that the sanctions were somehow blameless.
“I don’t think that proves anything, really,” Chesney said. “It’s not at all surprising that the SVR is still engaged in cyber espionage. I don’t think we tried to talk them out of doing this wholesale business.
Bajak reported from Boston. Associated Press writer Alan Suderman contributed from Richmond, Virginia.